Intermediary publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis

Abstract

With the explosion of computer technology, vastly more and more varied types of data related to individuals are being disseminated online, often without their consent. While intermediary publishers are not the initial and immediate cause of this, they generally play a contributory role and engage in further (semi-)autonomous processing such as organizing or promoting content. Current case law rather haphazardly recognizes intermediary publishers to be data protection 'controllers' and/or protected by the intermediary 'host' shield, while also acknowledging the engagement of general human rights law. Seeking to synthetically balance the competing purposes which underlie these three legal frameworks, this article argues that greater responsibility should flow from more autonomous control but that some shielding is still necessary for all intermediary publishers. Conceptually it is argued that such a synthetic approach leads to intermediary publishers being grouped into three increasingly autonomous categories-'processor hosts', 'controller hosts' and 'independent intermediaries'- which should be subject to a successively greater ambit of responsibility accordingly. Detailed elaboration of the resulting duties must also take account of the seriousness of the potential interference with competing rights and, in this regard, should give weight to the divergent resource capacity of otherwise similarly situated actors.